Package: libpq5 Version: 11.2-2 Severity: serious Affects: bandwidthd-pgsql dballe inspircd libnss-pgsql2 libodb-pgsql-2.4 pmacct r-cran-rpostgresql saga sphinxsearch tora ulogd2-pgsql yubikey-server-c Justification: renders many Debian packages undistributable
Hello, It's come to my attention that in buster and unstable, packages which build-depend on libpq-dev wind up linked against libpq5, which in turn links against OpenSSL (libssl1.1). This includes software which is licensed under the GPL and uses the PostgreSQL APIs. It is well understood that the OpenSSL license is not "compatible" with the GPL (either version 2 or 3); and furthermore, Debian has long taken the position that, unless a license exception is granted by the copyright holders, a package which is distributed under the GPL must only link to libraries whose licenses are also GPL-compatible in order for it to be included in Debian. I am opening this as a serious bug, since I believe this makes a large and indeterminate number of packages non-distributable in buster. See also bug 921488 which was the same situation but with MariaDB. Based on a quick glance through the debian/copyright files of reverse dependencies, I found the following packages that appear to generally be licensed GPL-2 (only) for example and list no OpenSSL linking exception. If I've accurately understood which licence applies in these cases, this situation certainly cannot be resolved even with the upcoming OpenSSL upstream relicense to Apache-2.0. Note that this is an indicative non-exhaustive list only, based on some approximations and only sampling to check accuracy; I haven't verified each one in detail. bandwidthd-pgsql dballe inspircd libnss-pgsql2 libodb-pgsql-2.4 pmacct r-cran-rpostgresql saga sphinxsearch tora ulogd2-pgsql yubikey-server-c There are many more reverse dependencies licensed with GPL-2+, GPL-3, etc, which suffer this redistributability until the relicensed OpenSSL arrives in Debian. Thanks,
signature.asc
Description: PGP signature